In August 2020, two FBI agents stood at my door, unannounced, wanting to ask me questions about a Nerdshala story we published a year earlier.
The story was about how a hacker stole thousands of documents, including visas and diplomatic passports, from a server in Mexico’s embassy in Guatemala. The hacker said he had contacted Mexican authorities about the vulnerable server, but they were ignored, and so the hacker tweeted a link to the embassy’s files. “When I don’t get a reply, it goes public,” the hacker told me.
I contacted Mexico’s consulate in New York for comment, as is standard practice when reporting a story. A spokesman said the Mexican government took the matter “very seriously.” We published our story, and it seemed like this was the end of it.
A year later the FBI knocked on my door and suggested it wasn’t. I refused to speak to the agents and closed the door.
After we published our story, the Mexican government requested the help of the US Department of Justice through diplomatic channels to investigate the hack and attempt to possibly identify the hacker. Because I had contact with the hacker, it must have made me a subject of interest to the Mexican authorities, hence the one-year trip.
A month after the House call, the Mexican government provided the FBI with a list of written questions it wanted us to answer, many of which were already answered in the story. Our response to the DOJ declined to provide anything more than what we had already published.
Legal demands against journalists are not uncommon; Some even see it as an occupational hazard to working in the media. The demands often come in the form of a threat, almost always forcing the journalist or news outlet to withdraw a story, or sometimes withholding a story before it is published. Journalists covering cyber security – a green rarely known for its chiller and upbeat headlines – are particularly prone to legal threats by companies or governments that avoid embarrassing headlines about their poor security practices. want.
Take the recent public standoff between Missouri Governor Mike Parson and the St. Louis Post-Dispatch newspaper, which the governor accused of illegal hacking after one of his reporters. Got thousands of social security numbers On the website of the State Education Department. The journalist verified this with three people whose Social Security numbers were exposed, immediately notified the status of the security lapse and kept the story until the data was taken down.
Parson said the reporting violated the state’s hacking laws and ordered law enforcement and a county prosecutor to investigate the paper, claiming the reporting was “an attempt to embarrass the state.” legal expert, MPs And even members of Parson’s own party ridiculed the governor for his rebuke of the newspaper, which found that he had worked completely ethical, pastor doubled In a video paid for by his Political Action Committee, which contained several false claims and called the newspaper “fake news”. Earlier this month, the department apologized For the lapse that eventually affected more than 620,000 state teachers.
Claiming illegality or unfairness is a tactic more widely used against security researchers, who find and reveal exposed personal information and security flaws before malicious hackers exploit them. Security researchers, like freelance journalists, often work alone and have no choice but to accept legal threats, for fear of the high legal cost of taking the case to court, even if their work is entirely legal and The line may help prevent a potentially bad security incident. Not all of them have an experienced and willing media legal team to back their game.
We’ve dismissed fake legal demands before, but having a federal agent at your door just to do your job is definitely a new one for me. There’s no suggestion of wrongdoing, though it’s troubling not to know what Mexico would consider if I ever set foot on its soil.
But it is the legal dangers and demands that make it not to print that can cause the most damage. Legal demands have an inherently muted effect. Sometimes they succeed. Journalism can be risky and newsrooms don’t always win. Left unchecked, legal threats can have a chilling effect that affects both security research and journalism by making it legally toxic to work. This means that the world is less informed and sometimes less secure.